CTRL 6.4.2 Which firms must have internal auditor?

(1) A QFC bank must have an individual who is approved to exercise the internal audit function for the firm.
(2) A QFC insurer (other than a QFC captive insurer):
(a) must have an individual who is approved to exercise the internal audit function for the firm; or
(b) may, with the permission of the Regulatory Authority, appoint a suitably qualified third party as internal auditor.
(3) For Part 8.2, the appointment of a third party by a QFC insurer is a material outsourcing arrangement.
(4) Any other authorised firm must have an individual who is approved to exercise the internal audit function for the firm if it is appropriate to do so because of the nature, scale and complexity of the firm’s business.
(5) The Authority may direct an authorised firm to appoint an individual who is approved to exercise the internal audit function for the firm.
Guidance
For a firm that is part of a corporate group, the corporate group internal audit function may be used to perform the function for the firm. This means that the firm is not required to have a dedicated resource for the internal audit function. The work to be undertaken by the internal audit function would depend on the agreed risk-based audit plan for the firm and the corporate group-wide auditor would be best placed to decide that work.
Note Nothing in this rule prevents a firm from appointing a corporate group employee to the internal audit function.

 

Derived from QFCRA RM/2020-4 (as from 1st July 2021)